https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-numerical-value-from-within-a-string-using-rex/m-p/247456#M73826 <P>Exactly that! I saw that you revised your answer since I was about to say that I added the \s so that it would take everything after the space, but I see you caught that already!</P> <P>Thank you!</P> Sun, 27 Nov 2016 00:05:55 GMT andrewtrobec 2016-11-27T00:05:55Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-numerical-value-from-within-a-string-using-rex/m-p/247454#M73824 <P>Hello,</P> <P>I've been reading up on the <CODE>rex</CODE> command and using it to split strings, but I cannot for the life of me get it working. I have the following input:</P> <PRE><CODE>FORECAST Sun and a few passing clouds. High 13C. Winds light and variable. Partly cloudy. Low 4C. Winds light and variable. Overcast with rain showers at times. High around 10C. Winds NE at 10 to 15 km/h. Chance of rain 60%. Cloudy skies. Low 2C. Winds ENE at 10 to 15 km/h. Partly cloudy skies. High 6C. Winds light and variable. A mostly clear sky. Low -1C. Winds light and variable. A mainly sunny sky. High 6C. Winds light and variable. A mostly clear sky. Low near 0C. Winds light and variable. </CODE></PRE> <P>and my goal is to extract the temperature value into a new field FORECAST_C. I basically have to remove everything up until the space between the date, and everything after starting with "C.". My desired output is:</P> <PRE><CODE>FORECAST_C 13 4 10 2 6 -1 6 0 </CODE></PRE> <P>I've come up with</P> <PRE><CODE>rex field=entry ".\s(&lt;FORECAST_C&gt;.*)C\w." </CODE></PRE> <P>but it's clearly not working...</P> <P>Can somebody give me a hand?</P> <P>Thanks!</P> <P>Andrew</P> Sat, 26 Nov 2016 23:23:17 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-numerical-value-from-within-a-string-using-rex/m-p/247454#M73824 andrewtrobec 2016-11-26T23:23:17Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-numerical-value-from-within-a-string-using-rex/m-p/247455#M73825 <P>If every line is an event try this:</P> <PRE><CODE>your query to return event | rex field=_raw ".*\s(?&lt;FORECAST_C&gt;\-*[\d]+)C\..*" | table FORECAST_C </CODE></PRE> <P>If more than one lines are in per event try <CODE>max_match=0</CODE> in it:</P> <PRE><CODE>your query to return event | rex max_match=0 field=_raw ".*\s(?&lt;FORECAST_C&gt;\-*[\d]+)C\..*" | table FORECAST_C </CODE></PRE> <P>If the data in question is in <CODE>field=entry</CODE> then you can use that field as well in the above commands rather than <CODE>field=_raw</CODE>.</P> <P><A href="https://regex101.com/r/glyRO2/2">See extraction here.</A></P> Sat, 26 Nov 2016 23:55:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-numerical-value-from-within-a-string-using-rex/m-p/247455#M73825 gokadroid 2016-11-26T23:55:03Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-numerical-value-from-within-a-string-using-rex/m-p/247456#M73826 <P>Exactly that! I saw that you revised your answer since I was about to say that I added the \s so that it would take everything after the space, but I see you caught that already!</P> <P>Thank you!</P> Sun, 27 Nov 2016 00:05:55 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-numerical-value-from-within-a-string-using-rex/m-p/247456#M73826 andrewtrobec 2016-11-27T00:05:55Z